Hey all,

I admire the work you guys are doing, and I'm starting my own project with OpenWRT. I want to be able to create two seperate wireless LANs using EAP authentication (with a RADIUS server). Has anyone else had any experience with this? Let me know what you guys think, or if you can suggest another way to create two seperate networks (one where users authorize w/ something, the other where no authorization is required), please tell me.

(I'll be using a WRT54GS)

drsomewhat

come on people, 57 reads and no posts - at least give me some input

I'm reading and not replying (pretend this isn't a reply) because I haven't got an answer.
   That said, there may not be an easy answer as it may take significant rewriting due to A - necessary limitations of the uCLibc libraries and B - limited math functions in the CPU.
   However, while I've played with Radius a little I've never even compiled it, let alone examined the code.

im considering RADIUS, but i think i can do this with subnets and traffic shaping. if i removed the br0 so that wireless and ethernet are on different ranges this might work

but still, authentication would be better... i was looking at tinyPEAP and I'm angry they went to sveasoft -- what they made could have helped a lot of people a lot more than made money for sveasoft

Do you want this two networks with one WRT on the WLAN side? -> you'll need subinterfaces.
or: do you take two WRT's? -> where do you want the authentication? Between the two routers (OpenVPN could be a solution) or between one Access Point and his WLAN Clients (give PPTP a try)?

Currently I'm fighting with the pptpd to get it working. Take a look: http://nthill.free.fr/nicowrt/src/packages/pptp-server/ (thx Nico for your great work!) There's also a plug-in for radius.

Please describe your network once again ;-)

One more link:
You can find the needed IPKG's for pptp#radius here:
http://ipkg.zehome.com/ipkg/

the network im talking about is only using one wrt54gs

this wrt must auth private users, securing their network

the public network would require no authentication, but also will be limited by traffic shaping, and some other factors (i.e., no access to internal network nodes)

i can go much more into detail, but i dont want to waste anyone's time

Tell me details, it sounds interesting ;-)
Do you want two networks via the WLAN link? -> DHCP can't work on both networks.

I think (in theory) it should be possible to create two subinterfaces on eth1 (wlan interface), delete eth1 from the bridge (brctl delif br0 eth1).
F.e.: Subinterface A gets the IP address 192.168.1.1/24 and subinterface B 192.168.2.1/24
Let us say, users in network A (192.168.1.0) should receive their IP addresses via DHCP and users in network B should have static IP addresses and also should authorize against something. If this is ~what you need, I will give it a try this evening.

Maybe this forum thread helps you:
http://openwrt.ksilebo.net/forum/viewtopic.php?t=162

Do you need the RADIUS server running under OpenWRT? If you can use another RADIUS server (freeradius, yaradius, xtradius, etc) running on a seperate machine you don't need tinyPEAP.

However there is still one other problem. Sveasoft have WPA support integrated into their firmware, so far OpenWRT does not. There were some posts to their forum with some basic information on it last time I looked, but since they've closed their forums to non-subscribers, I can't check. From memory, I think someone ported the essential piece from the open1x tools. They couldn't use the binary included in the linksys firmware ('nas' I think), as it was both closed source, and linked against a different version of uClibc. But it's been a while so I might well be wrong.

Any Sveasoft subscribers care to search their forums for posts about WPA and/or 802.11i and tell us how they did it? Or better yet, build us an ipkg of the code?

jaka: thanks for your input. I'll need radius running off the openwrt interface - i cant have an external server that needs to handle basically anything. My project basically is about developing a residential-priced solution to creating a metropolitan public WLAN. The router has to be able to handle everything to minimize cost and aid distrobution of such a device. Imagine being able to be anywhere in a city and be online

As much as I dislike sveasoft for what they have done with their stuff by making it closed, and that code that they are keeping for themselves can revolutionize the way computers communicate, I cant support code theft. If the way of the future is technology and computing, and everything were open source, we would already have countless inventions like holography, teleportation, you know   but so many people are just in everything for money, and thats bad science.

Perhaps we could convince the tinyPEAP crew to release their source.

schorsch01: You're idea is something i could never have thought of on my own. It sounds like it might just be the way to do what I'm saying, and then have something for authentication that is much more powerful than WEP.

I'll take a look at the forum you linked and see what i learn from it. Thanks for that link, too.

As for the details of my project, I'll post them tomorrow afternoon - that will be the first chance I will have that I will have enough time to sit down for a while.

But most importantly, thank you all for your time and thought. I'm looking forward to what you guys have to say.

Firstly I'd like to point out that I was not suggesting any kind of "theft" (I don't think much of the hijacking of a perfectly good word that means removal of physical goods from their proper owner to refer to copyright infringement/license violation, which are both totally different issues, but anyway).

Sveasoft can't close their firmware. It's still based on GPL code. They can limit access to their forums, refuse to distribute their code to people they don't like, etc etc, but anyone who does recieve that code still retains all the rights the GPL offers. Including the right to port bits of it to OpenWRT.

That may not apply to tinyPEAP, if they built their RADIUS server from scratch they can license it however they want and I have no idea what license they're using. But the open1x based code is definitely GPL.

In reference to your project idea, you're likely to run into some serious scaling issues. The 802.11 MAC design just can't handle more than maybe a couple of thousand nodes at the absolute maximum, have a look at http://dailywireless.org/modules.php?na … ;src=rss10 and http://www.smallworks.com/archives/00000072.htm for some more info on some of the issues with large 802.11 based networks. But if that doesn't kill it, one thing to consider is that if you were to use a RADIUS server, you'd be a lot better off with one external server for the entire network. Otherwise you need some method to propogate client information between all the independant RADIUS servers, one per OpenWRT box, or people will only be able to log on to their own boxes. Which kinda defeats the purpose of a metropolitan public network.

jaka: thanks for the reply -- scaling is something i overlooked. Fortunatly, however, it might not have much of an effect on what I'm proposing. (ill explain the project in its fullest tomorrow)

About porting some code - as long as its not considered stealing and wont make sveasoft come after us, I'm all for it. There is a lot they have that would make this project fly.

I'm glad that I'm getting this input. It is all really making my thought process move. Let's see what we can do. (I've already thought about how to pitch this to some city officials in NYC - we could make this happen. I still have like 9/10 of my project to explain.)

Well, Sveasoft might not like it much, as they do seem to be doing their best to minimise the chances of anyone else actually taking advantage of any of the development work they're doing. But it is completely legal, at least for the GPL code that they've modified and integrated. As always, check the license first.

I'll be interested to see the details of your project.

http://sisyphus.iocaine.com/pipermail/h … 07429.html

http://hostap.epitest.fi/

Thanks for the pointer mbm. Looks like a good start, but I can't see any mention of support in hostapd, just wpa_supplicant. The FAQ says only wpa_supplicant supports drivers other than hostap. I think hostapd would be needed to run the WRT54G as a WPA access point rather than just as a client of another WPA access point, as it provides the WPA authenticator. I hope I'm wrong.

thanks so far guys - havent checked the links mbm posted yet, but later tonight ill post about my project, in like 6 or so hours. I'm going to leave work now and ponder how we can do this even more.

Ok, sorry for the delay.

What I want to do is create a public and private network that one single WRT54GS can manage. The public connection doesn't need any authentication or WEP/etc, while in order to connect to the private network, some auth will be necessary (preferably WPA or something thru RADIUS).

The point of the project is to create a wireless public network in an urban setting. The professor I'm working with can get me in touch with New York City government and emergency services people so I might be able to get something started with my work when I get some stuff done.

Theres one part of it that has to do with emergency services. Firefighters/police cars/EMT ambulances would be able to connect to a private connection for a very brief amount of time. They will have the right to kick a public connection off of one router briefly.

One router won't necessarily be handling all the traffic in a whole building, so you dont have to worry about 1000s of nodes connecting to one single router. It would be more like 4-10 private and 1-5 public nodes that would connect to a router at any given time. This would be true since multiple routers will be available in neighborhoods.

Hacking into the router shouldnt be an issue since all routers would be using the 192.168.1.1 IP, and if you tried to manually connect w/o private authentication, you might get one of five possible connections. Only a private user would be able to modify settings. And in addition, on such a large scale, hacking one single public node wouldn't be easy, since his connection might be switched over to another router nearby at any given moment.

I hate to be the bearer of bad news, but when I said 'a couple of thousand nodes at absolute maximum', that applies to the entire network, not just one router. Each router will be limited to tens of nodes I think. That means your network is likely to implode horribly somewhere around 125-333 routers, if your client count estimate is right. Though exactly when it falls over will depend a lot on the distribution of those clients.

Also, a single WRT54GS is kinda unlikely to have the CPU/memory/flash required to manage a network on this scale, I strongly suspect you'd need an external RADIUS server. Plus regular updates to the RADIUS database wouldn't be too healthy for the flash.

Finally, I'm not entirely sure if the topology you're suggesting would work. I haven't played with large networks of APs in managed mode (I've been experimenting with APs in client mode for OLSR mesh networking instead) but I as far as I know, they form a single large network. Meaning you'll need to use a larger subnet, every IP has to be unique, and if someone gets on the network anywhere, they'll have complete access. But as I said, I haven't tried it, so I could well be wrong there.

Can you explain your last paragraph one more time? I just don't understand it (maybe that's because english is not my mother-language). All routers would get the ip-address 192.168.1.1 (Layer 3 in OSI Reference Model), so you differentiate the routers through the ssid and the channel? I have no idea what you mean 

The question with the public and private network could easily be solved with the use of a pptp server on the WRT54 (maybe you saw my post in this forum). I tried the pptp Daemon packaged by Nico last weekend and I can say, that it works perfectly (authentication and - if you like - encryption).

Let me explain the pptp scenario a little bit more to see, if it's what you need:
*) There's a public network where you don't have to authenticate. What's allowed for the user in this network is managed by the firewall on the WRT54 (iptables). F.e.: Users are only allowed to access HTTP, so there are firewall rules to allow access to port 80 and everything else is blocked. This network has the ip-address 172.16.1.0 with the netmask 255.255.0.0 - the router has the ip-address 172.16.1.1
*) Everybody has access to the public network (as the name says  :idea: ) and from this network you can get access to a second network, which is private and need some authentication (even encryption). I would suggest the use of the pptpd. -> User A sits in front of his PC and can connect to the private network with username and password through router 172.16.1.1. That's a VPN (=Virtual Private Network). The ip-address of this network is 192.168.0.1 with netmask 255.255.255.0 (that means, you can have up to 254 users in this network; if you need more you can use another ip class).

thanks for keeping with me here

Jaka, what I'm proposing isnt a metropolitan mesh network, but simply one router hosting two networks. Sure there might be many routers within the same service range, but these routers wouldn't be directly linked to one another. I admit that I am overlooking quite a bit of stuff - but I still have a feeling this can be done. Rather than having one huge network that all these routers are bits and pieces of, I'm saying have thousands of smaller networks.  With authentication, private users will have a solid connection to their own personal router, while un-authenticated public users can connect to the first router available. But anyways, you're input is always great - if i plan on presenting a prototype to someone, these are the questions I can expect to hear.  You definitly have seen and done more than I have with wireless networks.

Also, in the end I might end up setting a private node as a RADIUS server. Having just read what you typed, I remembered that updating would require rewriting flash, which would eventually ruin the flash memory. Thanks, as this is something that I need to keep in mind.

schorsch01: I think that you might just have given me a clear cut idea of what I need to do now. I'm going to give pptp a shot. I bet it's what i need, and with some modification, it probably could answer my problem.

What i had in mind with the 192.168.1.1 idea regarding protecting routers had to do with authentication. If private users authenticated, they would be linked to their own router. But if public users havn't authenticated, they would not be able to connect to 192.168.1.1 all that easily. A public user wont be guaranteed to be connecting to the same router every time it tries to access 192.168.1.1.

once again, thanks for the input

schorsch01: Does PPTP require a client to install anything? It seems so on nico's package list. I'd need for the client program to work with any operating system (Windows, Linux, Mac), this might be a holdback/reason not to use PPTP at the moment.

The pptp client is built in with Windows. I think Win95+. But there are also clients for Linux -> search for pppd with google. I successfully connected to the pptp daemon running on my WRT54G from Windows XP (without installing any client, because it's built in) and from Linux (I used the Live-Linux CD - Knoppix).

Command with Knoppix (Linux):

pptp 192.168.1.1 --nolaunchpppd --debug --localbind 192.168.1.21

Where 192.168.1.1 is the ip-address of the router. Check this with 'ifconfig' on your router. It's interface br0 on my WRT.
Check this forum thread: http://openwrt.org/forum/viewtopic.php?t=329

Homepage of pptp daemon: http://www.poptop.org/
Look also at the documentation site: http://poptop.sourceforge.net/dox/
On this page you can find documentation how to make a connection from Windows and Linux.

From this site:

When configuring the pptp daemon on your WRT get the config files from Nicos site: http://nthill.free.fr/nicowrt/src/packa … erver/etc/ as I described at the forum thread http://openwrt.org/forum/viewtopic.php?t=329

I'm sure we'll find a decent solution together 

Back to the question with the radius server. I think it could be a little bit tricky to connect to a central radius server if the Routers are not connected in any way as you described in your last post:

Another solution *could* be to save username+password within the /etc/ppp/chap-secrets file and to synchronise this files with some shell scripts (sure, I know, that's not a "nice" solution).

Please keep us up-to-date with your project and have fun with this nice little WRT box.

PPTP clients are included natively in WinXP, Win2K and MacOS X. You can find clients for Win9x too. And of course there's an OSS implemention (pptp-client) for all those Unices around... this is the one you'll find on the package listing, built for OpenWRT.

--
Nico

ahh thank you schorsch01 and nico, ill be sure to try pptp out once i get home today